This guide is for a Lab environment scenario where we have Exchange 2010 setup and we need a certificate to make OWA / Autodiscover work in Lab.
When we Install a RootCA (standalone) and generate a certificate for our use initially it works without issues until the certificate is imported in Exchange and get the error “The Certificate status could not be determined because the revocation check failed”
This happens coz of CRL Distribution Point URL, which are configured under the CA server properties / Extensions tab and Certificate Revocation settings.
This is the default settings for “Extensions” on Root CA server. (screenshots taken from a another Server)
Lets change these values to work for us.
1st Step, we will set the Configuration Naming Context which will be used in the CRL path.
Start Command Prompt (CMD) and run the following 1 line commad:
certutil –setreg CA\DSConfigDN CN=Configuration,DC=vhomelab,DC=com
Replace DC=vhomelab,DC=com to your domain name.
Again right click “Revoked Certificates” and select “Publish” from “Tasks”
This will publish the new CRL with the changes that we made.
Now, go to the Domain Controller and browse the Certificate server using browser (http://YourRootCA/certsrv) and download “CA Certificate” and CRL. (save it on C:\)
Certutil –dspublish –f RootCert.cer RootCA
Certutil –dspublish –f RootCRL.crl
Now, generate a certificate request from from Exchange Management Shell. (you can use GUI as well)
New-ExchangeCertificate -FriendlyName ‘Ex2010-Cert03’ -GenerateRequest -PrivateKeyExportable $true -KeySize ‘2048’ -SubjectName ‘C=BH,S=”State”,L=”City”,O=”vHomelab”,OU=”IT”,CN=mail.vhomelab.com’ -DomainName ‘cas-a.vhomelab.com’,’mail.vhomelab.com’,’vhomelab.com’,’autodiscover.vhomelab.com’ -Server ‘CAS-A’
Complete the certificate request in Exchange Management console.
If you check the certificate by double clicking it, and under details, see the CRL distribution points,
1st, the command that we ran for Configuration Naming Context, that was to get the CRL path configured properly as shown below.
Hope this has helped you in some ways.